Cybercriminals are mass mailing tens of thousands of malicious Federal Deposit Insurance Corporation (FDIC) themed emails, in an attempt to trick users into clicking on the client-side exploits serving and malware dropping URLs found in the bogus emails. Let’s dissect the campaign, expose the portfolio of malicious domains using it, provide MD5s for a sample exploit and the dropped malware, as well as connect the campaign with previously launched already profiled malicious campaigns.

Known to have responded to the same IP (174.142.186.89) are also the following fraudulent/malicious domains:airfare-ticketscheap.comcernanrigndnisne55.netdemuronline.netfiscdp.com.airfare-ticketscheap.comgormonigraetnapovalahule26.netirs.gov.successsaturday.netnacha.org.demuronline.netpidrillospeeder.comsamsung-galaxy-games.netfacebook.com.achrezervations.comfdic.gov.horse-mails.netfiscdp.com.airfare-ticketscheap.comirs.gov.successsaturday.netnacha.org.demuronline.netnacha.org.multiachprocessor.comnacha.org.samsung-galaxy-games.net

Known to have responded to 62.173.142.30 are also the following malicious domains:megapolis-cars.ru poleznoeda.ru rutexim.ru stranniki-music.ru xn--80ahcajwqeee.xn--p1ai

Known to have responded to 216.218.208.55 are also the followig malicious domains:demuronline.netsamsung-galaxy-games.net

Known to have responded to 95.111.32.249 are also the following malicious domains:stjamesang.net

Name servers part of the campaign’s infrastructure:
Name Server: NS1.NAMASTELEARNING.NET – 86.64.152.26 – Email: minelapse2001@outlook.com – Deja vu! We’ve already seen the same email used in a related Facebook themed malicious campaign.
Name Server: NS2.NAMASTELEARNING.NET – 205.28.29.52

The following name servers are also providing DNS services to the following malicious domains:achrezervations.comairfare-ticketscheap.comchildren-bicycle.netdemuronline.netfairfieldpoa.netfdic-payalert.comgagcenter.nethorse-mails.netjudicialcrisis.netlacave-enlignes.comlindoliveryct.netmultiachprocessor.comnacha-ach-processor.comnamastelearning.netoleannyinsurance.netonsayoga.netpidrillospeeder.comprotektest.netsamsung-galaxy-games.netsmscente.netstjamesang.netsuccesssaturday.nettaltondark.netthefastor.comulsmart.net

Once executed, the sample phones back to the following C&C servers:217.34.53.163213.219.135.10746.223.150.132108.218.11.14375.44.92.1372.81.0.118217.35.75.23281.138.21.57200.84.149.8484.59.151.2786.179.220.4388.247.80.14099.114.220.22499.21.49.3281.130.51.125108.210.102.165108.234.133.110108.240.232.21286.142.201.2071.10.54.16292.4.217.3188.129.147.6768.4.133.12782.211.142.21881.133.100.39173.14.178.233151.97.100.11686.11.143.17668.179.19.2969.70.121.162173.63.220.6579.135.34.5374.7.151.2571.48.23.19885.18.21.33